mirror of
https://github.com/github/codeql.git
synced 2026-04-25 08:45:14 +02:00
Python: More HTTP request handler *args/**kwargs modeling
I looked through all `override Parameter getARoutedParameter() {` in our
codebase, and we now modeling *args/**kwargs for all of them 👍
This commit is contained in:
@@ -66,6 +66,9 @@ private module FastApi {
|
||||
result = this.getARequestHandler().getArgByName(_) and
|
||||
// type-annotated with `Response`
|
||||
not any(Response::RequestHandlerParam src).asExpr() = result
|
||||
or
|
||||
// **kwargs
|
||||
result = this.getARequestHandler().getKwarg()
|
||||
}
|
||||
|
||||
override DataFlow::Node getUrlPatternArg() {
|
||||
|
||||
@@ -279,6 +279,9 @@ module Flask {
|
||||
name = match.regexpCapture(werkzeug_rule_re(), 4)
|
||||
)
|
||||
)
|
||||
or
|
||||
// **kwargs
|
||||
result = this.getARequestHandler().getKwarg()
|
||||
}
|
||||
|
||||
override string getFramework() { result = "Flask" }
|
||||
@@ -347,6 +350,12 @@ module Flask {
|
||||
// more FPs. If this turns out to be the wrong tradeoff, we can always change our mind.
|
||||
result in [this.getArg(_), this.getArgByName(_)] and
|
||||
not result = this.getArg(0)
|
||||
or
|
||||
// *args
|
||||
result = this.getVararg()
|
||||
or
|
||||
// **kwargs
|
||||
result = this.getKwarg()
|
||||
}
|
||||
|
||||
override string getFramework() { result = "Flask" }
|
||||
|
||||
@@ -416,7 +416,10 @@ module Tornado {
|
||||
// more FPs. If this turns out to be the wrong tradeoff, we can always change our mind.
|
||||
exists(Function requestHandler | requestHandler = this.getARequestHandler() |
|
||||
not exists(this.getUrlPattern()) and
|
||||
result in [requestHandler.getArg(_), requestHandler.getArgByName(_)] and
|
||||
result in [
|
||||
requestHandler.getArg(_), requestHandler.getArgByName(_),
|
||||
requestHandler.getVararg().(Parameter), requestHandler.getKwarg().(Parameter)
|
||||
] and
|
||||
not result = requestHandler.getArg(0)
|
||||
)
|
||||
or
|
||||
@@ -429,6 +432,12 @@ module Tornado {
|
||||
result = requestHandler.getArg(regex.getGroupNumber(_, _))
|
||||
or
|
||||
result = requestHandler.getArgByName(regex.getGroupName(_, _))
|
||||
or
|
||||
exists(regex.getGroupNumber(_, _)) and
|
||||
result = requestHandler.getVararg()
|
||||
or
|
||||
exists(regex.getGroupName(_, _)) and
|
||||
result = requestHandler.getKwarg()
|
||||
)
|
||||
}
|
||||
}
|
||||
@@ -446,7 +455,10 @@ module Tornado {
|
||||
// Since we don't know the URL pattern, we simply mark all parameters as a routed
|
||||
// parameter. This should give us more RemoteFlowSources but could also lead to
|
||||
// more FPs. If this turns out to be the wrong tradeoff, we can always change our mind.
|
||||
result in [this.getArg(_), this.getArgByName(_)] and
|
||||
result in [
|
||||
this.getArg(_), this.getArgByName(_), this.getVararg().(Parameter),
|
||||
this.getKwarg().(Parameter)
|
||||
] and
|
||||
not result = this.getArg(0)
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user